IIS6: Application Pool with dedicated service-user identity causes integrated authentication to fail

application-poolsiisiis-6

I'm on IIS6 and asp.net 3.5 SP1.

I decided that my asp.net web application should have a dedicated application pool and a dedicated identity, because this identity is granted access to a sensitive file share that the web application uses. The web application uses integrated windows authentication for the incoming users, and my problem is that when the application pool is set to a dedicated identity, all incoming users fail to authenticate, i.e. the login box (from internet explorer) re-appears after the user submits his password. This problem does not occur when the application pool is set to the NETWORK SERVICE identity.

The dedicated identity has been granted access to the machine's IIS_WPG group and I have tried the following command:

aspnet_regiis.exe -GA myDomain\myDedicatedIdentity

But still no luck. Any suggestions? Any privileges that I forgot to grant to this identity?

Best Answer

I found the solution to my problem: set up an HTTP SPN with the NetBIOS name and the fully qualified domain name (FQDN) of the domain user account that the application pool is running under. Here's the article: http://support.microsoft.com/kb/871179

Related Solutions

Iis – Service Unavailable – App Pool disabled error…anyone know why

The reason the app pool is being disabled is because Rapid Fail protection is on, so after a number of App Pool faults it will Stop the pool rather than restarting it.

You can disable Rapid Fail protection, but obviously that means you're still getting the error and you're just restarting the app pool every time; the best solution is to find out why it's crashing in the first place.

Unfortunately the error messages you get from IIS are not terribly useful, so to get a better idea of what is causing the crash you're going to need to run an IIS debug tool such as DebugDiag or IISState to get more information about the error.

It could be a problem with the particular code a site is running, or if its happening to multiple sites then maybe it's something more general. Running these tools should give you a better idea of what's causing it.

IIS7.5 Domain Account Application Pool Identity for SQL Server Authentication

Yes, the domain account will be added under Custom account: under Advanced Settings -> Identity. Below information is from Understanding the Built-In User and Group Accounts in IIS 7.0

IIS 7.0 automatically adds the IIS_IUSRS membership to the worker processes token at runtime. By doing this, accounts that have been defined to run as 'application pool identities' no longer need to explicitly be part of the IIS_IUSRS group.

If you want to disable this feature and manually add accounts to the IIS_IUSRS group, disable this new feature by setting the manualGroupMembership value to 'true'. Below is an example of how this can be done to the defaultAppPool:

<applicationPools>
    <add name="DefaultAppPool">
       <processModel manualGroupMembership="true" />
    </add>
</applicationPools >

Best Answer

Related Solutions

Iis – Service Unavailable – App Pool disabled error…anyone know why

IIS7.5 Domain Account Application Pool Identity for SQL Server Authentication

Related Topic